DNS security

Managing your DNS infrastructure

Given the central role of the Domain Name System (DNS) in Internet networks, it is no surprise that it is a prime target for hackers and cybercriminals. The original design of DNS did not include any provision for security as it was engineered to be as open and scalable as possible. This has meant that DNS remains vulnerable to a number of different security threats, including Distributed Denial of Service (DDoS) assaults, fast fluxing, amplification attacks, and DNS cache poisoning.

The most well-known DNS-related attack is cache poisoning (or DNS spoofing), a hack in which bad data is injected into a DNS resolver’s cache, causing the return of an incorrect IP address, and thereby diverting traffic to an attacker’s computer (where it is subject to phishing attacks and the distribution of malware).

Another major DNS headache is amplification attack (aka DNS reflection attack), a type of DDoS assault that takes advantage of the fact that a small DNS query can generate a much larger response. DNS amplification is a growing threat, featuring in over a third of high volume DDoS attacks.[1] An extreme form, known as distributed reflective DDoS, can co-ordinate many thousands of amplifiers from a single Internet uplink.

A more recent security concern has been the growth in malware botnets making use of DNS for tunnelling covert channels of command and control to networks of compromised computers (e.g. feederbot).

Securing DNS

With all these threats looming it is vitally important to pay attention to DNS security, and, in particular, make use of the Domain Name System Security Extensions (DNSSEC). These extensions improve security by supporting authentication across the domain name resolution process using public key cryptography. This digital signature ensures DNS record integrity when names are being resolved, and can help with forensic analysis should an attack attempt be made.

Other measures to enhance DNS security include well-patched DNS software, DNS firewalls, segregating authoritative and caching DNS servers, and building in redundancy to eliminate single points of failure.

Implementing DNSSEC

In response to security concerns, DNSSEC was introduced in 1997, but it is still not widely deployed; Verisign, for example, publish a log which shows that only around 0.4% of .com domains implement these security extensions.[2]

A key reason for this is the difficulty of manually implementing and managing DNSSEC security across DNS infrastructure. For example, all DNS zones need to be signed for DNSSEC to be effective – difficult to achieve by manual configuration across a large network. A poorly implemented DNSSEC installation can also cause performance problems and adds to the complexities of managing DDI/DNS (for example, handling digital key administration and rollover).

The activereach Solution: DNS Security & Threat Protection

activereach’s DNS security solution helps to eliminate the difficulties of implementing DNSSEC, and associated threat protections, by providing a family of specialist hardware appliances especially designed for a variety of domain scenarios. The rack-mountable hardware supports robust, secure performance using a custom-built, hardened Linux operating system and solid-state storage for maximum resilience. Our easy-to-use equipment is built to support architectural designs that maximise DNS security through segregated ‘sandboxing’ of services, separation of recursive and authoritative servers, in-built firewall options and integrated DNSSEC.

Our state-of-the-art solution features:

  • Ultra-secure, high-performance, authoritative and cacheing DNS.
  • An integrated plug-and-play family of DNS units ranging from master to slave.
  • Web-based graphical interface which is easy to use and configure.
  • Purpose-built to handle the latest DNS security provisions, including DNSSEC.
  • Automated DNSSEC key management and rollover.
  • High performance resolvers to mitigate the extra latency of DNSSEC requests.
  • Automated DNS zone signing.
  • Rate-limiter to protect against DDoS attacks.
  • Built-in firewall with remote administration via secure links (SSH/SSL).
  • Automatic, routine software updates to protect against any emerging, ‘zero-day’ security vulnerabilities in embedded DNS software.
  • AES encrypted IPsec connections between servers, authenticating and encrypting all traffic between units.

[1] Douglas C. MacFarland et al. ‘Characterizing Optimal DNS Amplification Attacks and Effective Mitigation’, 16th International Conference, PAM 2015, New York, USA, 2015, LNCS 8995, pp. 15–27.

[2] http://scoreboard.verisignlabs.com